We’re living in an interconnected world that offers a lot of conveniences. We can use Google, Facebook, OAuth to connect us to online services and apps. The downside is that there are more “bad actors” trying to trick us and gain access to our info. And sometimes we forget which apps we granted access to and that might impact our online security.
Why Grant Google Access
You’ve probably noticed that when you sign up for some online services, you can log in with your Google account. This often makes it easier, so you don’t have to remember another password. Or, it could be the service needs to access some Google service or components like your contacts, Google Analytics, Google Calendar, and so on. It’s become so familiar that we seldom pause when granting access.
Apps with Access to Your Account
Apart from approved applications, some “bad actors” like to devise ways to gain access. These attempts can come in many forms so it’s a good practice to check which apps have access. A recent phishing attack made me review who I granted access to including third-party apps. It was enlightening as there were online services that I’d stopped using. And some that I couldn’t remember. It gave me an opportunity to do a security checkup.
How to Check Google Account Access
I should mention that Google has several security tools. This “apps with access” page is part of a larger umbrella that you can find at https://myaccount.google.com/security.
- Go to https://myaccount.google.com/permissions
- You’ll see a list of current services (1) you’ve allowed and their permissions (2). In my example below, you’ll see they’re not all Google apps. I have an Amazon Echo (3) which can access certain features. I can say, “Alexa what’s my next appointment?”, and she reads my Google Calendar.
- If you see an item that you don’t need or recognize, you can click it to get more details. The panel will expand with more information including the app’s name (1), access rights (2) and date you approved access (3).
- In this case, I know the Optimizely app, but I no longer need the functionality so I can click the REMOVE button to revoke access.
Levels of Access
As you can see above, there are multiple access levels. Some access is minimal, whereas other apps have “full access”. Full access isn’t entirely correct as these apps can’t delete your account or make purchases with Google Wallet. You need to be very careful and trust the apps that have this level of access.
Another item to review is whether an app has “read and write access”. Many legitimate apps do. For example, you may have a phone app that automatically updates Facebook with how many miles you ran or your sleep.
My rule of thumb is if you don’t know the app, remove it. If revoking access breaks something, the app will let you know it needs to reauthorize.
What is this App or Service?
The biggest issue I’ve encountered is not recognizing an app or service. For example, I spotted this one – Project Default Service Account.
I haven’t a clue what it is even considering the Authorization date. If I Google Project Default Service Account, I see several suggestions.
- A developer who used a default name when generating an application using the Android SDK.
In this case, I’ll remove the authorization and see if some app screams. Better safe than sorry.
This tutorial just focused on Google Account security. Now, might be the time to go look at other services you use such as Facebook to see if the same problems exist.